|
|
|
|
|
|
by sugarpile
973 days ago
|
|
|
Fine, I'll concede poor wording on my part. However, in their white paper they specifically have a section "Crypto over HTTPS" which outlines the risks of their new web UI. Yes, the password stays local if no one mucks with delivered js, however, 1password being compromised would allow serving of modified js. This is a new vector only present due to their new web vault model + associated web UI features. They state it themselves in the whitepaper:
"The authenticity and integrity of the web client depends on the security of the host from which it is delivered. An attacker capable of
changing the web client on the server could deliver a malicious client
to the user" |
|
|